Doc2iXBRL

Security & Compliance

Built with security, privacy, and regulatory compliance as foundational principles. All infrastructure partners are SOC 2 compliant with EU data residency.

Transparency

AI use is clearly disclosed. Every mapping can be reviewed before output.

Human Oversight

AI suggests, you approve. Full control over every taxonomy mapping.

Data Sovereignty

Your data stays yours. Never used for AI training. All storage in the EU.

Security by Design

Encryption at rest and in transit, RLS isolation, signed URLs, JWT auth.

SOC 2 infrastructure

Every component of our stack is hosted by providers with independently audited SOC 2 Type II certifications.

Vercel

Frontend Hosting

SOC 2 Type IIISO 27001GDPR

Frontend deployed with SOC 2 Type II attestation for Security, Confidentiality, and Availability.

SecurityTrust Center

Supabase

Database, Auth & Storage

SOC 2 Type IIHIPAAGDPR

Database and auth with SOC 2 Type II compliance. Row Level Security ensures complete user data isolation.

Security

Fly.io

Backend (Amsterdam, EU)

SOC 2 Type IIEU Datacenter

Backend API in Amsterdam ensuring all processing stays within the EU. WireGuard encryption and TLS 1.3.

Security

DeepInfra

Document Processing

SOC 2ISO 27001GDPR

Document preprocessing with zero-retention policy. Inputs and outputs are not stored or used for training.

Trust Center

OpenRouter

AI Model Gateway

SOC 2GDPREU Routing

AI processing with Zero Data Retention and EU in-region routing for prompts and completions.

Trust Center

GDPR

General Data Protection Regulation (EU 2016/679). We act as a data processor with strict data protection measures.

Data protection

  • DPAs with all sub-processors
  • All persistent data stored within the EU
  • AES-256 at rest, TLS 1.3 in transit
  • Privacy by Design and Default (Art. 25)

Your rights

  • Access, rectify, and delete your data
  • Data portability in machine-readable formats
  • 72-hour breach notification
  • Sub-processor list available on request

EU AI Act

Regulation on Artificial Intelligence (EU 2024/1689). Our AI system falls under the limited risk category — it assists with document analysis rather than making autonomous decisions.

Classification

  • Limited risk: transparency obligations met
  • AI use clearly disclosed to users
  • Human-in-the-loop: all output requires approval
  • No autonomous financial decision-making

Measures

  • AI literacy requirements met (Art. 4)
  • No training on user data
  • Technical documentation maintained
  • Regular risk assessment

Full high-risk system requirements apply from Aug 2026. Doc2iXBRL does not fall in the high-risk category.

EU Data Act

Regulation on Data Access and Use (EU 2023/2854). We support data portability and switching rights with no vendor lock-in.

  • Export your data in machine-readable formats at any time
  • No vendor lock-in — switch providers freely
  • No switching charges
  • Standard iXBRL output format ensures interoperability

Data security

Encryption & access

  • TLS 1.3 for all data in transit
  • AES-256 encryption at rest
  • JWT/JWKS-based authentication
  • HMAC-signed download URLs with expiration
  • Row Level Security for data isolation

EU data residency

  • Backend in Amsterdam (Fly.io)
  • Database in EU region (Supabase)
  • AI via EU routing (OpenRouter)
  • Zero-retention for transient non-EU processing
  • No persistent data outside EU/EEA

Data retention

Data typeRetentionDeletion
Uploaded documentsUntil user deletesImmediate on request
Generated iXBRLUntil user deletesImmediate on request
AI processing dataNot retainedDiscarded after processing (ZDR)
Account dataDuration of contract30 days after deletion
Audit logs12 monthsAutomatic

For security inquiries, compliance documentation, or vulnerability reports: contact@doc2ixbrl.com

Best Practices
Security & Compliance | Doc2iXBRL Documentation | Doc2iXBRL